kernel-packages team mailing list archive

Thread
Date
[Bug 1381005] Re: Long stdin from terminal can result in code execution

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: Joseph Salisbury <joseph.salisbury@xxxxxxxxxxxxx>
Date: Sat, 28 Mar 2015 01:16:34 -0000
Reply-to: Bug 1381005 <1381005@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
I backported commit fb5ef9e7 and built a Vivid test kernel with it.  This kernel can be downloaded from:
http://kernel.ubuntu.com/~jsalisbury/lp1381005/

I tested the kernel on one of my machines and it seemed to fix this bug.

Can other folks that can reproduce this bug test the kernel and post
back if it solves the bug?

Thanks in advance!

** Tags added: utopic vivid

** Also affects: linux (Ubuntu Trusty)
   Importance: Undecided
       Status: New

** Also affects: linux (Ubuntu Vivid)
   Importance: High
       Status: Confirmed

** Also affects: linux (Ubuntu Utopic)
   Importance: Undecided
       Status: New

** Changed in: linux (Ubuntu Trusty)
       Status: New => In Progress

** Changed in: linux (Ubuntu Utopic)
       Status: New => In Progress

** Changed in: linux (Ubuntu Vivid)
       Status: Confirmed => In Progress

** Changed in: linux (Ubuntu Utopic)
   Importance: Undecided => High

** Changed in: linux (Ubuntu Trusty)
   Importance: Undecided => High

** Changed in: linux (Ubuntu Trusty)
     Assignee: (unassigned) => Joseph Salisbury (jsalisbury)

** Changed in: linux (Ubuntu Utopic)
     Assignee: (unassigned) => Joseph Salisbury (jsalisbury)

** Changed in: linux (Ubuntu Vivid)
     Assignee: (unassigned) => Joseph Salisbury (jsalisbury)

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1381005

Title:
  Long stdin from terminal can result in code execution

Status in linux package in Ubuntu:
  In Progress
Status in linux source package in Trusty:
  In Progress
Status in linux source package in Utopic:
  In Progress
Status in linux source package in Vivid:
  In Progress

Bug description:
  Under certain conditions, the input entered from a terminal with a
  foreground process waiting for stdin, can be interpreted and executed
  by the shell.

  Steps to reproduce:
  1) Open a terminal
  2) Run a simple program that waits for stdin (like cat, tee, head, tail, ...) or even the bash-builtin command read. No need to specify arguments
  3) Type or paste exactly 4096 ASCII characters into the terminal (see sample attachment)
  4) Press Enter

  What should happen:
  The program in foreground reads 4097 characters (the last one is new line).

  What actually happens:
  Instead of reading the input, the current program exits (read() only reads one character before EOF) and the shell executes the same input starting from the second character.

  I believe that the issue can be reproduced with:
  - any terminal (tested on xterm, gnome-terminal, tty)
  - any shell (tested on bash, zsh)
  - any program that reads stdin from terminal (not attached to a pipe)

  Debugging the shell with gdb suggests that the bug is in the implementation of read(), hence libc6 or under (kernel).
  Specifically, the bug is caused by read() reading only one character (new line) when entering a text of 4096 characters in stdin on the terminal. It looks like read() is then closing the stdin descriptor.
  If the input is 4097 characters long, read() will read two characters and the shell will interpret from the 3rd character, and so on.

  Verified on:
  Ubuntu 14.04.1 LTS

  Kernel:
  3.13.0-24-generic x86_64
  3.13.0-32-generic x86_64
  3.13.0-36-generic x86_64

  libc6:
  2.19-0ubuntu6
  2.19-0ubuntu6.1
  2.19-0ubuntu6.3

  I'm happy to provide more information if it helps.
  Angelo

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1381005/+subscriptions